Alligator detects GPS-leaking adware

02

Aug

2013

Those last few months, we have been using and tuning a data mining engine developed by researchers of Telecom ParisTech. The tool is named Alligator, mostly because we believe alligators are hungry animals 🙂 (and a little because this means “_AnaLyzing maLware wIth partitioninG and probAbiliTy-based algORithms_”). Integrated in our own crawling, property extraction and reporting architecture, the engine helps us spot suspicious packages among the huge load of Android applications.

Recently, as we were tuning our framework, Alligator reported a highly suspicious application named YoungsterZZ2B42BAndroid.apk (a youth portal for Android). Actually, I believed the application was genuine, so I started investigating why Alligator was complaining.

First, I was somewhat amused to find in the package a raw resource named “falsepositives.txt”. That text file explains the application is using a respectable development environment:

“Reputable companies including banks, US Government/ Military sector are using our tools”

and that the platform’s code

“is 100% malware/spyware/virus free.”

Is it? Well, for version 0.84.13498.72181, let me have my doubts. In particular, the screenshot below shows the application sending your GPS longitude and latitude in clear text to the environment’s ads servers. Parents, if you wish to track your kids, they are making it easy for you 😉

Figure 1. The tool is sending in cleartext the IMEI (hid) and GPS longitude (tlon) and latitude (tlat). In my particular case, my Android emulator does not release any valuable information 🙂

I hope that “the reputable companies including banks, US Government/ Military sector” are aware that their GPS coordinates are being sent in clear text over Internet.

As the company’s intent does not seem malicious, we are detecting such samples as Adware/Geyser!Android. Had it come from another source, it would certainly have been classified as a trojan spyware.